Amendments to the Claims 



This listing of claims will replace all prior versions and listings of claims in 
the application: 

Listing of Claims: 

1. (Previously presented) In a computer network, a method for 
maintaining an acceptable use policy comprising: 

receiving input from a user selecting a subject matter category for use in 
monitoring network communications; 

monitoring TCP/IP network communications; 

storing raw TCP/IP session data of said TCP/IP network communications 
on disk, even when the communication does not conform to a known protocol; 

testing the stored communications for the presence of at least one 
preselected criterion, wherein the preselected criterion is defined by a user, is 
associated with the user selected subject matter category, and comprises one or 
more regular expressions and wherein the raw TCP/IP session data including all 
TCP control and payload data is tested for the presence of the at least one 
preselected criterion; 

deleting the communications if the presence of said at least one 
preselected criterion is not determined; and 

storing the communications if the presence of said at least one 
preselected criterion is determined[[.]] ; 

wherein the preselected criterion comprises two or more subject matter 
categories; 

wherein said subject matter categories comprise regular expressions; 

wherein a first portion of said regular expressions are assigned weights 
with negative values and a second portion of said regular expressions are 
assigned weights with positive values; and 

wherein regular expressions within a subject matter category having a 
negative value are processed before regular expressions having a positive value. 

2-5. (Cancelled) 
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6. (Previously presented) The method of claim 1 , wherein the 
preselected criterion is weighted. 

7-8. (Cancelled) 

9. (Previously presented) The method of claim 1 , further comprising 
prioritizing the order in which regular expressions within a subject matter category 
are tested. 

10. (Previously Presented) The method of claim 9, wherein said 
prioritizing reduces the likelihood of false hits. 

11. (Cancelled). 

12. (Previously Presented) The method of claim 1 , wherein the 
computer network is a wide area network. 

13. (Previously Presented) The method of claim 1 , wherein the 
computer network is a local area network. 

14. (Currently Amended) The method of claim [[2]] 1, wherein the 
presence of the preselected criterion in at least one of said categories comprises 
a match in a plurality of categories. 

15. (Currently Amended) The method of claim [[2]] 1, wherein said 
subject matter categories comprise key words. 

16. (Cancelled). 

17. (Currently Amended) The method of claim [[2]] 1, further comprising 
assigning a threshold value to each subject matter category. 

18. (Previously Presented) The method of claim 17, wherein at least 
some of said subject matter categories comprise one or more predetermined 
expressions. 

19. (Previously Presented) The method of claim 18, further comprising 
receiving user input assigning a value to said predetermined expressions. 
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20. (Previously Presented) The method of claim 19, further comprising 
summing the values of said predetermined expressions. 

21. (Previously Presented) The method of claim 20, wherein said 
communication is further stored if the sum of the values of said predetermined 
expressions comprising a subject matter category equal or exceed the threshold 
value assigned to said subject matter category. 

22. (Previously Presented) The method of claim 21 , wherein the 
threshold value of at least one subject matter category comprises equaling or 
exceeding the threshold value in a plurality of subject matter categories. 

23. (Previously Presented) The method of claim 21 , wherein said 
threshold values assigned to said subject matter categories are variable. 

24. (Previously Presented) The method of claim 18, wherein said 
subject matter categories have a hierarchical relationship. 

25. (Previously Presented) The method of claim 24, wherein said 
hierarchical relationship comprises defining the threshold value for at least one 
subject matter category as the presence of predetermined expressions in a 
plurality of other subject matter categories. 

26. (Previously Presented) The method of claim 24, wherein said 
hierarchical relationship comprises defining the threshold value for at least one 
subject matter category as matching or exceeding the threshold value assigned 
to a plurality of other subject matter categories. 

27. (Previously Presented) The method of claim 1, further comprising 
outputting a report relating to the presence of said at least one preselected 
criterion. 

28. (Previously Presented) The method of claim 27, wherein said 
report identifies individuals whose use of the computer network included 
communications which matched preselected criterion. 
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29. (Previously Presented) The method of claim 27, wherein said 
report identifies network addresses where communications were received or 
originated that included matched preselected criterion. 

30. (Previously Presented) The method of claim 2, further comprising 
outputting a report relating to the presence of preselected criterion, wherein said 
report identifies the number of matches in a category. 

31. (Previously Presented) The method of claim 30, wherein said 
report is in a graphical format and at least a portion of the stored communications 
is displayed in a user interface in a form matching that generated or viewed 
during the monitored TCP/IP network communications. 

32. (Previously Presented) The method of claim 27, wherein said 
report provides the text of all communications that match said preselected 
criterion. 

33. (Previously Presented) The method of claim 27, wherein said 
report is in a human readable format and at least a portion of the stored 
communications is provided in the report in a form matching that generated or 
viewed during the monitored TCP/IP network communications. 

34. (Previously presented) A method for monitoring and maintaining an 
acceptable use policy for computer network usage comprising: 

capturing data on a network, wherein the data comprises multiple half 
sessions of TCP/IP network communications; 

removing data content that does not contain language elements; 

testing the remaining content for the presence of predetermined 
expressions, wherein the predetermined expressions comprise two or more 
categories each containing predetermined expressions that are defined by a 
user; 

maintaining a sum of values associated with said predetermined 
expressions found within at least one category; and 
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storing the remaining data if the sum of values associated with said 
predetermined expressions within a category meets or exceeds a threshold value 
selected based on user input; 

wherein said expressions are weighted with either positive or negative 
values; 

wherein the negative valued expressions are tested first; and 
wherein the testing and the maintaining are halted and the storing is 

performed when the sum of values within a category meets or exceeds the 

threshold value. 

35. (Previously Presented) The method of claim 34, wherein said 
computer network is a wide area network. 

36. (Previously Presented) The method of claim 34, wherein said 
computer network is a local area network. 

37-41 (Cancelled). 

42. (Previously Presented ) The method of claim 34, wherein said 
negative and positive valued regular expressions are separately tested in the 
order of largest value to smallest value. 

43. (Cancelled) 

44. (Previously Presented) The method of claim 34, wherein said 
expressions include regular expressions. 

45. (Previously Presented) The method of claim 34, wherein the 
threshold value for at least one category comprises meeting or exceeding the 
threshold value for a plurality of other categories. 

46. (Previously Presented) The method of claim 34, wherein the 
threshold value of at least one category comprises meeting or exceeding the 
threshold value for at least one other category and not meeting or exceeding the 
threshold value for at least another category. 
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47. (Previously Presented) The method of claim 35, wherein said 
threshold value for a category is variable. 

48. (Previously Presented) The method of claim 34, further comprising 
outputting a report relating to the presence of predetermined expressions. 

49. (Previously Presented) The method of claim 48, wherein said report 
identifies individuals whose use of the computer network included 
communications which matched predetermined expressions. 

50. (Previously Presented) The method of claim 48, wherein said report 
identifies network addresses where communications were received or originated 
that included matched predetermined expressions. 

51 . (Previously Presented) The method of claim 34, further comprising 
outputting a report relating to the presence of predetermined expressions, 
wherein said report identifies the number of matches in a category. 

52. (Previously Presented) The method of claim 50, wherein said 
report is in a graphical format and at least a portion of the stored communications 
is displayed in a user interface in a form matching that generated or viewed 
during the monitored TCP/IP network communications. 

53. (Previously Presented) The method of claim 48, wherein said 
report provides the text of all communications that match said predetermined 
expressions. 

54. (Previously Presented) The method of claim 48, wherein said 
report is in a human readable format and at least a portion of the stored 
communications is provided in the report in a form matching that generated or 
viewed during the monitored TCP/IP network communications. 

55. (Previously Presented) A method for monitoring and maintaining 
an acceptable use policy for computer network usage comprising: 

capturing TCP/IP data on a network; 
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removing data content that does not contain language elements and 
storing a remaining content comprising a string of language elements separated 
by spaces without regard to original formatting of the captured TCP/IP data; 

defining categories with weighted predetermined expressions, wherein the 
predetermined expressions are defined by a user; 

testing the remaining content for the presence of predetermined 
expressions; 

maintaining a sum of values associated with said predetermined 
expressions found within each category; and 

storing the remaining data if the sum of values associated with said 
predetermined expressions present within a category exceeds a threshold value. 

56. (Previously Presented) The method of claim 55, wherein said 
remaining data is stored only if the sum of predetermined expressions exceeds 
the threshold value in a plurality of categories. 

57. (Previously Presented) The method of claim 55, wherein the 
threshold value for a category is defined as the presence of no predetermined 
expressions. 

58 (Previously Presented) The method of claim 55, wherein said 
computer network is a wide area network. 

59. (Previously Presented) The method of claim 55, wherein said 
computer network is a local area network. 

60. (Cancelled). 

61 . (Previously Presented) The method of claim 55, further comprising 
outputting a report relating to the presence of predetermined expressions whose 
sum meets or exceeds the threshold value of a category. 

62. (Previously Presented) The method of claim 61 , wherein said report 
identifies individuals whose use of the computer network included 
communications which contained predetermined expressions whose sum 
matched or exceeded the threshold value of at least one category. 
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63. (Previously presented) The method of claim 61, wherein said report 
identifies network addresses where communications were received or originated 
that included predetermined expressions whose sum matched or exceeded the 
threshold value of at least one category. 

64. (Previously Presented) The method of claim 63, wherein said report 
is in a graphical format and at least a portion of the stored communications is 
displayed in a user interface in a form matching that generated or viewed during 
the monitored TCP/IP network communications. 

65. (Previously Presented) The method of claim 1 wherein at least one 
stored half session comprises a plurality of independent parts, and the testing is 
performed individually on each independent part. 

66. (Previously Presented) The method of claim 65 wherein the 
independent parts comprise individual email messages. 

67. (Previously Presented) The method of claim 65 wherein the 
independent parts comprise message attachments. 

68. (Previously Presented) The method of claim 1 further comprising: 
prior to the testing, attempting to identify a protocol by comparing the 

stored TCP/IP network communications with known protocol patterns, wherein 
when the attempting results in one of the known protocol patterns being 
identified, the testing of the stored communications involves testing of each 
independent part of the stored TCP/IP network communications associated with 
the identified one of the known protocol patterns. 
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